OpenID Foundation Warns Websites of Authentication Flaw

The OpenID mechanism that allows users to designate a Website to authenticate them as valid users on other sites may not be implemented correctly, researchers warned.

The OpenID Foundation last week released a security bulletin warning of a serious bug that allows attackers to modify OpenID authentication data. Sites that have implemented OpenID 2.0 should check to see if the security hole exists and patch it immediately.

OpenID is an open-source project that allows users to prove their identity without creating a username and password on the site. Facebook, Google, WordPress and Yahoo are some of the major Websites that allow users to log in using OpenID.

Researchers discovered the issue in OpenID's Attribute Exchange, a feature that allows a Website to receive the user's identity information from an authorized server, the foundation said in its advisory on May 5. Some sites were not confirming that the information being sent by AX was signed, which meant that the site wouldn't know if an attacker had modified the information while it was in transit between the requesting server and the OpenID server, according to the advisory.

"If the site is only using AX to receive low-security information like a user's self-asserted gender, then this will probably not be a problem. However if it is being used to receive information that it only trusts the identity provider to assert, then it creates the potential for an attack," the OpenID Foundation said in the advisory.

No attacks have been spotted in the wild exploiting the flaw. However, there is the threat that an attacker could use it to "modify information passed between parties and impersonate a user," John Fontana, an evangelist at Ping Identity, wrote on the Ping Talk blog.

Attackers would be able to manipulate the attributes during the OpenID transaction and gain access to the victim's account, Fontana said.

Researchers and OpenID Foundation board members contacted major Websites that were impacted, and the problem has been fixed on those sites, according to the foundation. The sites were not named in the advisory. Commercial services and libraries from Janrain, Ping Identity and DotNetOpenAuth were not affected by this issue, the OpenID Foundation said.

Web administrators who suspect their applications are vulnerable should modify application code to accept only signed attribute values, the foundation suggested. Applications using OpenID4Java are the most vulnerable as they are prone to accepting unsigned attributes, so administrators should update to the latest version, 0.9.6, of the Java library if it is being used, the foundation said. The Kay Framework patched the flaw in Version 1.0.2.

Security researchers Rui Wang, Shuo Chen and XiaoFeng Wang are credited for uncovering the flaw.

The OpenID Foundatoin reported there were more than 9 million Websites using OpenID to allow users to register and log in to at least some portion of their site in December 2009. By using OpenID, users can authorize a site such as Google to act as a identity provider for other sites that have implemented OpenID, making it a form of single sign-on for multiple Websites. Google has proposed PseudoID, a mechanism to protect users that would prevent attackers from linking stolen sign-on credentials back to user accounts.